John Smith, principal solutions architect at Veracode, discusses why the connected car poses a significant challenge to the global car industry.
Today is one of the most exciting times in the automotive industry’s history.
Cars are communicating with each other, they’re telling us where available parking spaces are and in some cases they’re even doing the parking for us at the touch of a button.
We are also on the brink of the entirely autonomous car – whereby using technology such as radar, GPS, and computer vision – the car can sense the environment, detect its surroundings and navigate without human input.
To many of us, this will have seemed impossible just years ago.
However, the UK government has already outlined plans to conduct trials of driverless cars on its road network by the end of next year.
Its goal is to establish the UK as a ‘global centre for excellence’ in connected and autonomous vehicles.
The Google challenge
While IDC projects the total market for automotive-related Internet of Things to be worth $140.3bn this year, this revenue is not exclusively driven by vehicle manufacturers.
They now face unprecedented competition for market share from component manufacturers and software companies such as Google and Apple.
Not only have these traditional software vendors launched their own infotainment solutions, to provide drivers with seamless access to their mobile operating systems in the car, they are also developing autonomous vehicles themselves.
While the impact these driverless cars pose to the market is yet to be seen, their internal software solutions for the car is already having a significant influence on the industry.
The infotainment system – once regarded as a high-margin, differentiating feature amongst rival manufacturers – is now at risk to the tech giants.
Cyber liability in the connected car
It’s not just revenue that’s at stake here.
If a car falls victim to a cyber-attack through applications in a third-party infotainment system, and has an accident, who is at fault? Moreover, who should be held responsible if an application downloaded to a car – or linked smartphone – has a vulnerability and puts the safety of the car or personal data at risk? And what constitutes “reasonable” efforts to address and fix vulnerabilities in applications in cars?
These are all questions that need answering.
New research, carried out by International Data Corporation (IDC) and commissioned by Veracode, revealed that drivers are no clearer as to where this responsibility lies.
When asked who should be liable if they downloaded an app that resulted in a vulnerability in their car, the majority of drivers (40%) held themselves responsible, a fifth (20%) pointed a finger at the app developers and manufacturers alike, and 17% blamed the app store.
Three years from safety?
Producing this research paper, IDC also conducted in-depth interviews with leading vehicle manufacturers and – following these briefings – predicts a security lag of up to three years before application systems catch up with cyber threats.
With recent media coverage exposing critical vulnerabilities to applications in connected cars – for example allowing a Jeep Cherokee to be hacked remotely and brought to a standstill via a computer – it is of no surprise that half of British drivers are concerned about the security of the connected car.
Confronting the issues
Driver and passenger safety are clearly of paramount importance, and there are several issues manufacturers – and the government – must address to ensure they get this right.
Manufacturers cannot afford to be complacent when it comes to software and application security.
Based on IDC’s research, it seems they are considering two approaches to securing the connected car.
The first is to completely separate infotainment systems from driver functionality, ensuring no links can be made between their applications.
This is easier said than done, with cars being developed to exchange data with cloud-based applications for GPS mapping or with other cars to share real-time information about traffic patterns and road conditions.
The second approach is for the manufacturer to assume responsibility – if not liability – for the complete car ‘package’, regardless of the software and applications it houses and who has downloaded them.
For the government, clear regulatory standards must be enforced to ensure manufacturers, technology vendors and drivers know exactly where they stand.
Technology developments are taking place faster than the government can bring in new statutes, leaving lawmakers stranded at legislative crossroads.
However, with increasing numbers of connected vehicles on our roads, this is an issue that must be addressed today.
What we’re seeing happen in the car industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector – applications not developed with security in mind, creating a major area of risk.
The key difference here is that an application vulnerability in a car could put somebody’s life in danger, and that is why manufacturers, technology companies and the government must work together to ensure the safety and security of drivers in this connected age.